Skip to main content
Splunk Lantern

Application switch to Active Directory multi-tenant access

Your company uses SolarWinds Orion business software, which suffered the Sunburst Backdoor attack. You want to identify any lateral movement associated with attack by seeing if any applications have been opened up to multi-tenancy.

Multi-tenant access allows accounts from any Active Directory or even personal accounts to access an application, rather than only those from one specific directory.


  1. Ensure you have installed the Microsoft Azure Add-on for Splunk.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:aad:audit" activityDisplayName="Update application" operationType=Update 
result=success targetResources{}.modifiedProperties{}.displayName=AvailableToOtherTenants 
| table activityDateTime initiatedBy.user.userPrincipalName 
targetResources{}.displayName additionalDetails{}.value

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only Azure Active Directory audit data.

activityDisplayName="Update application" 

Search for the "update application" action.




Search for updates that successfully made a resource available to other tenants.

| table activityDateTime initiatedBy.user.userPrincipalName targetResources{}.displayName additionalDetails{}.value

Display the results in a table with columns in the order shown.

Next steps

The Microsoft Azure Add-on for Splunk has additional searches and pre-built security content for Azure data that can help you interpret these results and take additional steps to resolve security concerns related to changes to your Active Directory custom domains. 

You might also be interested in other processes associated with the Detecting lateral movement with Active Directory data use case.